Signing & Encryption

Signing and Encryption

Signing - A signature is created against a client's private key which can be verified with a client's public key. This signature will fail verification if the message was altered. This feature can be used with both non-encrypted data and encrypted data.

Encrypting - A message is encrypted with the public key of the intended recipient. After this process, the message is only readable by the person who has the private key to decrypt it.

Public Key Encryption:

Public key encryption allows people to encrypt and decrypt messages without having to share a password to unlock them. An encryption scheme, introduced by Diffie and Hellman in 1976, where each person gets a pair of keys, called the public key and the private key. Each person's public key is published while the private key is kept secret. Messages are encrypted using the intended recipient's public key and can only be decrypted using his private key. This is often used in conjunction with a digital signature.The need for sender and receiver to share secret information (keys) via some secure channel is eliminated: all communications involve only public keys, and no private key is ever transmitted or shared.

PKI and Digital Certificates:

Each certificate is based on a pair of cryptographic keys that form a high strength unique credential that is tightly associated with the user or organization in question and that is used to perform secure operations such as encryption or signing. A Certificate Authority (CA) is responsible for issuing digital certificates and performing the various procedural steps to ensure that those certificates embody the appropriate levels of trust for their intended purpose. The CA forms the heart of a public key infrastructure (PKI) that underpins one or many applications and supports anything from a handful of certificates to many millions. Organizations wishing to take advantage of certificates and the security functions that they enable have a choice of building their own PKI or purchasing certificates from external service providers. The latter option is most appropriate if certificates and identities are to be shared and trusted between different organizations or domains. Organizations deploying internal PKIs have the flexibility to define the security models that fit their specific needs.

Risks Associated with PKI and Digital Certificates

Theft of CA signing private keys or root keys enables bogus certificates to be issued and any suspicion of compromise may force re-issuance of some or all of the previously issued certificates.

Weak controls over the use of signing keys can enable the CA to be misused, even if the keys themselves are not compromised.

Theft or misuse of keys associated with online certificate validation processes can be used to subvert revocation processes an enable malicious use of revoked certificates.

As new applications are brought online, not attending to the performance aspects of signing activities associated with issuance and validation checking can result in significant business impact.